North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Port 139 scans
At 09:54 AM 9/28/00 -0700, [email protected] wrote:
Indeed, nearly all of my woes have disappeared with this information. Thanks Ken!By the way, we identified a couple instances of the virus that Ken Lindahl mentioned in his earlier post.
Additionally, I set a trap for it yesterday. I opened a Windows box up to all internet traffic, made it nice and insecure (let me tell ya, that took a lot of work ;), and dialed it up. Then every half hour or so I checked for it. After an hour, I had a bug in a bottle.
Busting out the handy hex editor, I scrolled down, and down, and down, until what should appear before my burning eyes, but Lo! An IP address...
...which points to an open mail relay somewhere in China (184.108.40.206) which then is used to send the info(likely the IP addy of the infected box) to the local user nongmin_cn . If anyone else goes through this process, I'd be interested in knowing about it.
I already sent off abuse complaints to the upstreams for that IP. Hope they can read English :)
Ben Browning <[email protected]>
oz.net Network Operations
Tel (206) 443-8000 Fax (206) 443-0500